Section: New Results

Analytics

CPS Security analytics

Participants : Abdelkader Lahmadi [contact] , Mingxiao Ma, Isabelle Chrisment.

During 2018, we designed and evaluated a novel type of attack, named Measurement as Reference attack (MaR), on the cooperative control and communication layers in microgrids, where the attacker targets the communication links between distributed generators (DGs) and manipulates the reference voltage data exchanged by their controllers. We analyzed the control-theoretic and detectability properties of this attack to assess its impact on reference voltage synchronization at the different control layers of a microgrid. Results from numerical simulation are presented in [15] and demonstrate this attack, in particular the maximum voltage deviation and inaccurate reference voltage synchronization it causes in the microgrid.

Analysis of Internet-wide attacks

Participants : Abdelkader Lahmadi [contact] , Giulia de Santis, Jérôme François, Olivier Festor.

Internet-wide scanners are heavily used for malicious activities. In [13], we developed models based on HMMs (Hidden Markov Models) and finite mixture models to identify network scanners from the packets received by a darknet. We used data collected by the darknet hosted in the High Security Lab of Inria Nancy - Grand Est to build these models by characterizing the spatial and temporal movements of the studied scanners (Zmap and Shodan). Our models are able to recognize the scanner with an accuracy of 95% when using spatial movements, and of 98% when using temporal movements.

Under the umbrella of the ThreatPredict project with the International University of Rabat, we have performed preliminary exploratory analysis of Inria darknet data that consists of examining time series of scan activities and the scanning behavior of different attackers [24]. We performed experiments on the clustering of darknet data to extract threat patterns including scanning and DDoS activities. We are still extending the technique with more features and developing Hololens based visualization of the obtained graphs. Based on our experience, traffic analysis faces a major challenge when using machine learning or data-mining techniques due to data which cannot be represented in a meaningful metric space. One major case is TCP or UDP ports. We thus proposed a new semantic based metric between port numbers that does not follow a regular numeric distance but relies on observed attacks of the past.

Cyber Threat Intelligence

Participants : Jérôme François, Abdelkader Lahmadi [contact] , Quang Vinh Dang.

We are exploring and validating techniques for learning correlations between vulnerabilities and attack patterns from Cyber threat intelligence data sources including CVE (Common Vulnerabilities and Exposures), CAPEC (Common Attack Pattern Enumeration and Classification) and CWE (Common Weaknesses Enumeration) documents. While there already exist some relations between them, they have been defined manually and so are quite incomplete. Finding these relations is a cumbersome and tedious task and our objective is to guide or even automatically detect relations or correlations between documents. This will ease a better understanding and mitigation of threats. Our work relies on leveraging NLP (Natural Language Processing Techniques) with several techniques such as graph-based or recommendation-based mining. The first results show the ability of our technique to automatically discover missing relations between attack patterns and vulnerability descriptions in the context of SDN [12]. We also consider word and document embedding to identify correlations between them.